panic: vm_fault: fault on nofault entry, addr: fffffe00873d8000

Fabian Keil freebsd-listen at fabiankeil.de
Mon Dec 7 09:46:24 UTC 2015 

Konstantin Belousov <kostikbel at gmail.com> wrote:

> On Sun, Dec 06, 2015 at 06:51:36PM +0100, Fabian Keil wrote:
> > > > #16 0xffffffff80877d5a in bcopy () at /usr/src/sys/amd64/amd64/support.S:118
> > > > #17 0xffffffff805f64e8 in uiomove_faultflag (cp=<value optimized out>, n=<value optimized out>, uio=0xfffffe009444aae0, nofault=<value optimized out>) at /usr/src/sys/kern/subr_uio.c:208
> > > > #18 0xffffffff8046236f in msdosfs_read (ap=<value optimized out>) at /usr/src/sys/fs/msdosfs/msdosfs_vnops.c:596
> > > > #19 0xffffffff808feb20 in VOP_READ_APV (vop=<value optimized out>, a=<value optimized out>) at vnode_if.c:930
> > > > #20 0xffffffff8039bf3a in mdstart_vnode (sc=0xfffff8004c7ce000, bp=0xfffff80028fc81f0) at vnode_if.h:384    
> > > From the frame 20, do 'p *bp' in kgdb and mail the result.  Do you have
> > > any non-standard values for buffer cache knobs, esp. for MAXPHYS ?  
> > 
> > (kgdb) p *bp
> > $1 = {bio_cmd = 1 '\001', bio_flags = 16 '\020', bio_cflags = 0 '\0', bio_pflags = 0 '\0', bio_dev = 0x0, bio_disk = 0x0, bio_offset = 0, bio_bcount = 0, 
> >   bio_data = 0xfffffe0077d94000 <Address 0xfffffe0077d94000 out of bounds>, bio_ma = 0xfffff8000275bc00, bio_ma_offset = 960,  
> 
> bio_ma_n = 33,
> This is the issue.  The upper layer (ZFS ?) passed down the request
> which is max-sized (see bio_length == 32 pages) but not aligned.
> The physical buffer used for transient mapping cannot handle this.
> 
> bio_error = 0, bio_resid = 0, 
> >   bio_done = 0xffffffff804e51d0 <g_std_done>, bio_driver1 = 0x0, bio_driver2 = 0x0, bio_caller1 = 0x0, bio_caller2 = 0x0, bio_queue = {tqe_next = 0x0, tqe_prev = 0xfffff8004c7ce018}, bio_attribute = 0x0, 
> >   bio_from = 0xfffff80010131d80, bio_to = 0xfffff800694f2a00, bio_length = 131072, bio_completed = 0, bio_children = 0, bio_inbed = 0, bio_parent = 0xfffff8000628bd90, bio_t0 = {sec = 33029, 
> >     frac = 13163670047247984455}, bio_task = 0, bio_task_arg = 0x0, bio_classifier1 = 0x0, bio_classifier2 = 0x0, bio_pblkno = 0}
> >  
> > I don't use non-standard values for MAXPHYS or other buffer cache settings.
> >   
> 
> Try the following patch.

With this patch I got:

[400] Fatal trap 9: general protection fault while in kernel mode
[400] cpuid = 0; apic id = 00
[400] instruction pointer	= 0x20:0xffffffff8086c603
[400] stack pointer	        = 0x28:0xfffffe0094422a60
[400] frame pointer	        = 0x28:0xfffffe0094422a80
[400] code segment		= base 0x0, limit 0xfffff, type 0x1b
[400] 			= DPL 0, pres 1, long 1, def32 0, gran 1
[400] processor eflags	= interrupt enabled, resume, IOPL = 0
[400] current process		= 34142 (md0)
[...]
(kgdb) where
#0  doadump (textdump=0) at pcpu.h:221
#1  0xffffffff80316e5b in db_dump (dummy=<value optimized out>, dummy2=false, dummy3=0, dummy4=0x0) at /usr/src/sys/ddb/db_command.c:533
#2  0xffffffff80316c4e in db_command (cmd_table=0x0) at /usr/src/sys/ddb/db_command.c:440
#3  0xffffffff803169e4 in db_command_loop () at /usr/src/sys/ddb/db_command.c:493
#4  0xffffffff803194eb in db_trap (type=<value optimized out>, code=0) at /usr/src/sys/ddb/db_main.c:251
#5  0xffffffff805e2933 in kdb_trap (type=9, code=0, tf=<value optimized out>) at /usr/src/sys/kern/subr_kdb.c:654
#6  0xffffffff8087d161 in trap_fatal (frame=0xfffffe00944229b0, eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:829
#7  0xffffffff8087ce3c in trap (frame=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:203
#8  0xffffffff80861ae7 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:234
#9  0xffffffff8086c603 in pmap_qenter (sva=18446741876956168192, ma=<value optimized out>, count=32) at /usr/src/sys/amd64/amd64/pmap.c:1991
#10 0xffffffff8039e673 in mdstart_vnode (sc=0xfffff80029ac7800, bp=0xfffff800270c15d0) at /usr/src/sys/dev/md/md.c:928
#11 0xffffffff8039c73c in md_kthread (arg=0xfffff80029ac7800) at /usr/src/sys/dev/md/md.c:1158
#12 0xffffffff8055c16c in fork_exit (callout=0xffffffff8039c510 <md_kthread>, arg=0xfffff80029ac7800, frame=0xfffffe0094422c00) at /usr/src/sys/kern/kern_fork.c:1011
#13 0xffffffff8086201e in fork_trampoline () at /usr/src/sys/amd64/amd64/exception.S:609
#14 0x0000000000000000 in ?? ()
Current language:  auto; currently minimal
(kgdb) f 9
#9  0xffffffff8086c603 in pmap_qenter (sva=18446741876956168192, ma=<value optimized out>, count=32) at /usr/src/sys/amd64/amd64/pmap.c:1991
1991			m = *ma++;
(kgdb) f 10
#10 0xffffffff8039e673 in mdstart_vnode (sc=0xfffff80029ac7800, bp=0xfffff800270c15d0) at /usr/src/sys/dev/md/md.c:928
928			pmap_qenter((vm_offset_t)pb->b_data,
(kgdb) l
923	unmapped_step:
924			npages = min(MAXPHYS, roundup2(len + ma_offs, PAGE_SIZE)) /
925			    PAGE_SIZE;
926			iolen = min(npages * PAGE_SIZE - ma_offs, len);
927			KASSERT(iolen > 0, ("zero iolen"));
928			pmap_qenter((vm_offset_t)pb->b_data,
929			    &bp->bio_ma[ma_offs / PAGE_SIZE], npages);
930			aiov.iov_base = (void *)((vm_offset_t)pb->b_data +
931			    ma_offs % PAGE_SIZE);
932			aiov.iov_len = iolen;
[...]
(kgdb) p *pb
$8 = {b_bufobj = 0x1001, b_bcount = 0, b_caller1 = 0x0, b_data = 0x0, b_error = 0, b_iocmd = 0 '\0', b_ioflags = 0 '\0', b_iooffset = -2197012545536, b_resid = -8795990460928, b_iodone = 0x2100000400, 
  b_blkno = 0, b_offset = 1024, b_bobufs = {tqe_next = 0xffffffff804e7bb0, tqe_prev = 0x0}, b_vflags = 0, b_qindex = 0, b_flags = 0, b_xflags = 0 '\0', b_lock = {lock_object = {lo_name = 0x0, lo_flags = 0, 
      lo_data = 0, lo_witness = 0xfffff80029ac7818}, lk_lock = 0, lk_exslpfail = 103222784, lk_timo = -2048, lk_pri = 655147520}, b_bufsize = 131072, b_runningbufspace = 0, b_kvasize = 0, b_dirtyoff = 0, 
  b_dirtyend = 0, b_kvabase = 0xfffff800062853e0 "\001\020", b_lblkno = 398, b_vp = 0xca3691a05b0bac47, b_rcred = 0x0, b_wcred = 0x0, b_union = {bu_freelist = {tqe_next = 0x0, tqe_prev = 0x0}, bu_pager = {
      pg_iodone = 0, pg_reqpage = 0}}, b_cluster = {cluster_head = {tqh_first = 0x0, tqh_last = 0x401}, cluster_entry = {tqe_next = 0x0, tqe_prev = 0x401}}, b_pages = 0xfffff800270c16d0, b_npages = 0, 
  b_dep = {lh_first = 0xc22730000}, b_fsprivate1 = 0x4000, b_fsprivate2 = 0xfffffe00874b8000, b_fsprivate3 = 0x0, b_pin_count = 0}

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20151207/5a883c9a/attachment.sig>

More information about the freebsd-current mailing list